Linux Suspicious Process

These detections identify suspicious activity from process start records collected by the Insight Agent from Linux endpoints.

Attacker - Sudo Privilege Escalation Attempt

Description

Looks for the attempted exploitation of a vulnerability in sudo that allows for standard users to become root by specifying a user id of -1 or 4294967295

Recommendation

Review the command in question passed to sudo to see if it was executed successfully under the context of the root user.

MITRE ATT&CK Techniques

  • Exploitation for Privilege Escalation - T1068
Attacker Technique - Apache Struts/Tomcat Spawns Uname

Description

This detection identifies ‘uname’ being spawned by ‘java’ running an Apache Tomcat web service. This technique is used by malicious actors to validate that an Apache Struts Tomcat server was successfully exploited.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
Attacker Technique - Cat /etc/shadow

Description

This detection identifies the /etc/password file appearing in a command line. A malicious actor may try to dump the contents of this file for offline password cracking.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • /etc/passwd and /etc/shadow - T1003.008
Attacker Technique - Curl Or WGet To External IP Reporting Server IP In URL

Description

This detection identifies the 'curl' or 'wget' utility being used to access a remote IP address web server and report in the IP address of the vulnerable system in the URL. Malicious actors use utilities, such as these to call back to systems they have access to in order to validate which systems the attack was successful against.

Recommendation

Examine the IP address that is being contacted. Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port

Description

This detection identifies the 'curl' or 'wget' utility being used to access a remote IP address web server on a non standard port. Malicious actors often use utilities, such as these to download additional payloads after gaining access to a target resource.

Recommendation

Examine the IP address that is being contacted. Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Attacker Technique - Linux Reverse Shell

Description

This detection identifies simple techniques to create a reverse shell in Linux using built-in utilities. Malicious actors use this technique to deliver a shell from the compromised host back to their system so that additional system commands can be executed, post compromise

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Command and Scripting Interpreter - T1059
Attacker Technique - Perl Use Socket Reverse Shell

Description

This detection identifies simple ‘perl’ based reverse shells using the ‘Socket’ module being passed to the command line. Malicious actors use this technique post compromise to deliver a shell from the compromised host back to their system so that additional system commands can be executed.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Non-Application Layer Protocol - T1095
Attacker Technique - Shell Redirection To or From /dev/tcp

Description

This detection identifies redirection of a shell to a remote host through the device ‘/dev/tcp’. Malicious actors use this technique to deliver a shell from a compromised host back to their system so additional commands can be executed, post compromise.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Non-Application Layer Protocol - T1095
Attacker Technique - Unshadow

Description

This detection identifies the use of the 'unshadow' utility being executed. This technique is used by malicious actors to retrieve the contents of the '/etc/shadow' and '/etc/password' files while preparing them for password cracking utilities.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • OS Credential Dumping - T1003
  • /etc/passwd and /etc/shadow - T1003.008
Attacker Tools - Cobalt Strike Client Application - Linux

Description

This indicator is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This indicator is specific to Linux operating systems.

Recommendation

Investigate the process events to identify if this activity is authorized and expected within the client network.

MITRE ATT&CK Techniques

  • Obtain Capabilities - T1588
Attacker Tool - Unknown Webshell Style Command

Description

This detection identifies commands being executed with the prefix of 'cd "/";' and a suffix of '2>&1' in the command line. This style of command execution has been used by malicious actors post compromise with webshell(s) of an unknown type.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Command and Scripting Interpreter - T1059
  • Server Software Component - T1505
  • Web Shell - T1505.003
Cryptocurrency Miner - Identify Writable Directories

Description

This detection identifies the 'touch' command being used to attempt to write a file, called 'writable', to various directories. This has been observed in cryptocurrency mining malware that is attempting to find writable directories.

Recommendation

Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Kworker

Description

This detection identifies Kworker being used, which is a customized version of the Linux bitcoin mining software, Minerd. Malicious actors drop KWorker on systems via other malware, such as Mirai, post compromise

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - MinerGate

Description

This detection identifies the command line including the string ‘Minergate’. ‘Minergate’ is a command line BitCoin miner often deployed by malicious actors.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Mining Pool URL in Command Line

Description

Mining pools are a way for multiple systems running cryptomining software to pool their resources over the network. Cryptocurrency mining malware will often use mining pools to increase efficiency, as it allows all of the attacker's compromised systems to work together.

Recommendation

Identify the miner process on the system. This can often be done easily by doing a process listing and identifying the process using the most CPU resources.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Process Kills Other Mining Processes

Description

This detection identifies the ‘kill’ command being used in an attempt to stop the processes of cryptocurrency miners. Cryptocurrency miners will attempt to identify any other miners running on a system to ensure that it will not be competing for resources.

Recommendation

Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - Watchbog

Description

Watchbog is a cryptocurrency mining trojan for Linux. It downloads payloads from Pastebin, and spreads laterally by exploiting Jenkins and Redis server vulnerabilities.

Recommendation

Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Cryptocurrency Miner - XMRig

Description

This detection identifies command line arguments consistent with XMRig. XMRig is a command line Monero miner often deployed by malicious actors.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Resource Hijacking - T1496
Defense Evasion - HISTCONTROL=ignorespace

Description

This detection identifies the environment variable HISTCONTROL=ignorespace being added on Linux systems. This will cause any commands starting with a space to not be logged in the history file.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Clear Command History - T1070.003
Linux - Execution from Hidden Temp Directory

Description

Linux-based malware, particularly malware with a cryptocurrency mining component, is often observed using hidden directories inside the /tmp directory. These directories will start with a . i.e. /tmp/.malware

Recommendation

Identify the process launching from the hidden directory and attempt to determine whether it is expected behavior. If it is a cryptocurrency miner, it will likely cause CPU usage to spike to 100%, which is an easy way to identify it.

MITRE ATT&CK Techniques

  • Hidden Files and Directories - T1564.001
Linux - Execution of Shared Object from Hidden Temp Directory

Description

Linux-based malware, particularly malware with a cryptocurrency mining component, is often observed execution Shared Object (.so) files from hidden directories inside the /tmp directory. Their file paths will resemble /tmp/.hidden/malware.so

Recommendation

Identify the process loading the shared object file and attempt to determine whether it is expected behavior. If it is a cryptocurrency miner, it will likely cause CPU usage to spike to 100%, which is an easy way to identify it.

MITRE ATT&CK Techniques

  • Hidden Files and Directories - T1564.001
Reconnaissance - Multiple SSH Discovery Commands

Description

This detection identifies multiple commands being run that attempt to discover information about SSH activity on the system. These commands include searching for id_rsa and known_hosts files, searching the contents of the bash_history file, searching the contents of the .ssh/config file, and searching for .pem certificates.

Recommendation

Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • SSH - T1021.004
  • SSH Authorized Keys - T1098.004
Suspicious Command - Remove and Recreate SSH Config Folder

Description

This detection identifies the ~/.ssh directory being removed and recreated. Malware has been observed doing this in order to overwrite any existing SSH configurations with its own.

Recommendation

Investigate the new files in the ~/.ssh directory. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • SSH - T1021.004
  • SSH Authorized Keys - T1098.004
Suspicious Command - SSH Key Echoed to Authorized Keys File

Description

This detection ientifies SSH keys being echoed via the command line into the ~/.ssh/authorized_keys file. Malware has been observed doing this in order to allow SSH access to the operator.

Recommendation

Investigate the key that was added. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • SSH - T1021.004
  • SSH Authorized Keys - T1098.004
Suspicious File - File Copied to Web Directory

Description

This detection identifies the mv command being used to move a file to a www directory. This may indicate a malicious actor is placing a web shell.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Shell - T1505.003
Suspicious Process - Apache Launches Wget or Curl

Description

This detection identifies an Apache process launching Curl or Wget. This may be done by a malicious actor who has compromised a web server in order to download additional malware.

Recommendation

Investigate the URL that is being contacted and whether or not it has a legitimate business use. If this activity is not benign or expected, consider rebuilding the host from a known, good source.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
  • Web Shell - T1505.003
Suspicious Process - base64 Output Piped to Shell

Description

This detection identifies the base64 utility being used to decode base64-encoded command line arguments before passing them on to a shell process such as bash for execution. Malicious actors may use base64 encoded payloads to avoid detection.

Recommendation

Investigate the contents of the base64 encoded string. Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Deobfuscate/Decode Files or Information - T1140
Suspicious Process - cat Used to View Bash History File

Description

This detection identifies the cat command being used to show the contents of a .bash_history file. This file contains a history of shell commands that a user has run, and a malicious actor may inspect these commands to identify passwords or other sensitive information.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password and the passwords of any account that may have appeared in the history file.

MITRE ATT&CK Techniques

  • Bash History - T1552.003
Suspicious Process - ColdFusion Webserver Spawns Shell Process

Description

This detection identifies shell processes such as 'cmd.exe' or bash being spawned by a ColdFusion process. Suspicious processes launched by ColdFusion may indicate a compromise of the web server.

Recommendation

Investigate the command being run and attempt to determine their purpose. Look for signs of further activity from a potential malicious actor, such as host or network discovery commands being executed, as these often precede attempts at lateral movement.

MITRE ATT&CK Techniques

  • Web Shell - T1505.003
Suspicious Process - Common Compromised Linux Webserver Commands

Description

This detection identifies commands that Rapid7 has observed being run on compromised Linux webservers, especially those that have been compromised via Oracle Weblogic vulnerabilities CVE-2020-14882 and CVE-2020-14883, as well as Atlassian Confluence vulnerability CVE-2021-26084.

Recommendation

Investigate the processes spawned. Some commands may be encoded in hexadecimal or base64 - these should be decoded so that the intent can be determined. If this activity is not benign or expected, consider rebuilding the host from a known, good source and updating to the latest version of the server software.

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
Suspicious Process - Confluence Java App Launching Processes

Description

This detection identifies processes being launched by the Atlassian Confluence server app. Malicious actors have been observed exploiting CVE-2021-26084 or CVE-2022-26134, vulnerabilties for Confluence which can allow execution of arbitrary processes. Confluence does sometimes spawn processes legitimately, but special attention should be paid to common reconnaissance commands like whoami or ifconfig, as well as any commands that indicate additional files being downloaded, such as curl or wget.

Recommendation

Investigate the processes spawned by Confluence. Some commands may be encoded in hexadecimal or base64 - these should be decoded so that the intent can be determined. If this activity is not benign or expected, consider rebuilding the host from a known, good source and updating to the latest version of Confluence.

Additional information can be found on Rapid7's blog. CVE-2021-26084: https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/ CVE-2022-26134: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
Suspicious Process - Curl Downloading From Cloudfront URL

Description

This detection identifies the 'curl' command being used to download data from a CloudFront URL. Malicious actors have been observed using 'curl' to download second stage payloads from CloudFront.

Recommendation

Investigate the contents of the CloudFront URL. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Service - T1102
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Downloading Shell Script

Description

This detection identifies Curl being used to download a shell script. The Curl utility is often used by malicious actors to download additional payloads on compromised Linux systems.

Recommendation

Investigate the URL and the file that was pulled from it. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Curl or WGet Pipes Output to Shell

Description

This detection identifies output from the Curl or WGet utility being piped to bash or another shell process. Malicious actors may use Curl or WGet to download additional malware, and pipe that malware to a shell for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the shell process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Perl

Description

This detection identifies output from the Curl utility being piped to Perl. Malicious actors may use Curl to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Python

Description

This detection identifies output from the Curl utility being piped to Python. Malicious actors may use Curl to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Python - T1059.006
  • Ingress Tool Transfer - T1105
Suspicious Process - Deleting ld.so.preload

Description

This detection identifies the file ld.so.preload being deleted. This file contains a list of libraries that will be loaded by any user-mode process, and a malicious actor may replace it with one that points to their own malicious code.

Recommendation

Investigate the contents of the ld.so.preload file. Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Shared Modules - T1129
Suspicious Process - Execution From Hidden Directory In tmp

Description

Looks for the execution of processes from within a hidden file or directory within /tmp

Recommendation

Review the binary being executed.

MITRE ATT&CK Techniques

  • Hidden Files and Directories - T1564.001
Suspicious Process - Fetch Command to External IP Address

Description

This detection identifies the fetch command being used to communicate with an external IP address. Malicious actors use the fetch command to download second stage payloads during Linux compromises.

Recommendation

Investigate the IP address that is being contacted and the contents of any files named ‘fetch.txt’, as this is the default file that the fetch command will write to. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Grepping Shell History

Description

This detection identifies the Grep command being used to search the contents of the shell history file. A malicious actor may do this in order to identify sensitive information such as passwords, or targets for lateral movement.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Bash History - T1552.003
Suspicious Process - Hidden Process Executes from Home Directory

Description

Looks for processes with hidden file names being executed from a users home directory. This technique is often employed by attackers post compromise to try and hide coinminers or other potentially unwanted programs.

Recommendation

Review the file in question to see if it is malicious in nature.

MITRE ATT&CK Techniques

  • File and Directory Permissions Modification - T1222
  • Hide Artifacts - T1564
  • Hidden Files and Directories - T1564.001
Suspicious Process - Linux Adding User using dbus-send CreateUser

Description

This detection identifies user creation attempt using linux dbus-send command. This Linux vulnerability can be exploited to gain root access via privilege escalation with polkit. This can be used by malicious actors to add root user, thus gaining root access level to the system.

Recommendation

Examine that this activity is benign or expected. If this is not expected, consider rebuilding the host from a known, good source and having the user change their password. Also check for any new root user that may have been added with successful exploitation of this vulnerability.

Suspicious Process - Linux Setting User Password using dbus-send SetPassword

Description

This detection identifies SetPassword attempt using linux dbus-send command. This Linux vulnerability can be exploited to gain root access via privilege escalation with polkit. This can be used by malicious actors to add root user and set password, thus gaining root access level to the system.

Recommendation

Examine that this activity is benign or expected. If this is not expected, consider rebuilding the host from a known, good source and having the user change their password. Also check for any new root user that may have been added with successful exploitation of this vulnerability.

MITRE ATT&CK Techniques

  • Exploitation for Privilege Escalation - T1068
Suspicious Process - Linux System OS Discovery Command

Description

This detection identifies an attempt to use cat to output the contents of files in the /etc directory that may contain OS information. Malicious actors may do this to know what OS version to target. This command has been observed in use by the RotaJakiro malware.

Recommendation

Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Software Discovery - T1518
Suspicious Process - Linux Webserver Executing Commands

Description

Identifies suspicious commands executed by processes belonging to commonly used webserver software, such as Apache or Nginx. Commands executed by a webserver process can be indicative of a web shell or otherwise compromised webserver.

Recommendation

Determine whether the commands being executed are part of the expected operation of the server. If not, investigate any files, domains, or IP addresses that the executed commands may have interacted with.

MITRE ATT&CK Techniques

  • Web Shell - T1505.003
Suspicious Process - lwp-download to External IP Address

Description

This detection identifies LWP-Download, which is a Linux utility for downloading files from the internet. Malicious actors can use LWP-download to download second stage payloads during Linux compromises.

Recommendation

Examine the command run and the URL it is contacting. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Possible Reverse Shell

Description

This detection identifies a number of reverse shells that can be created using mostly built-in Linux functions. Attackers may use these reverse shells for C2 purposes.

Recommendation

Examine the process that spawned the shell, and anything that the shell process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
Suspicious Process - ssh_authorized_keys in Command Line

Description

This detection identifies when the ssh_authorized_keys file appears in a command line. A malicious actor may modify this file so that they may access the host with their own SSH key.

Recommendation

Ensure that the key corresponds to a host from which authorization is expected.

MITRE ATT&CK Techniques

  • SSH Authorized Keys - T1098.004
Suspicious Process - SysJoker Process Names

Description

This detection identifies process names identified as part of the SysJoker malware family. SysJoker is a multi-platform backdoor that masquerades as a system update.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Masquerading - T1036
Suspicious Process - VMware Workspace ONE Access Launches Process

Description

This detection identifies the Apache prunsrv component of VMware Workspace ONE Access launching suspicious processes. This may be indicative of remote code execution resulting from exploitation of CVE-2022-22954. See our blog post for more information: https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/

Recommendation

Ensure VMWare components are upgraded to the latest version. Review the process that was launched and any processes that it may have launched. If this activity is not benign or expected, consider rebuilding the host from a known, good source.

MITRE ATT&CK Techniques

  • Exploitation of Remote Services - T1210
Suspicious Process - WGet Output Piped to Bash

Description

This detection identifies output from the WGet utility being piped to bash or another shell process. Malicious actors may use WGet to download additional malware, and pipe that malware to bash for execution.

Recommendation

Investigate the URL that was downloaded from.Examine any additional processes spawned by the bash process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Wget Output Piped to Perl

Description

This detection identifies output from the WGet utility being piped to Perl. Malicious actors may use WGet to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - WGet Output Piped to Python

Description

This detection identifies output from the WGet utility being piped to Python. Malicious actors may use WGet to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Wget to External IP Address

Description

Identifies the wget utility being used to download files from an external IP address. Wget is often used by attackers on Linux-based systems to deploy additional tools after establishing a foothold on a system.

Recommendation

Determine the nature of the IP address by checking whois and dns records. If no obvious reason for downloading from that IP address exists, attempt to acquire and analyze the file that was downloaded from it.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - WSO2 Product Launches Suspicious Process

Description

This detection identifies suspicious processes launched by a WSO2 product process, which may be indicative of exploitation of CVE-2022-29464. CVE-2022-29464 is an unrestricted arbitrary file upload vulnerability which can lead to remote code execution. Rapid7 has observed this CVE being actively exploited in the wild.

Additional information can be found on our blog: https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/

Recommendation

Investigate any .jsp or .war files created around the time of this activity, they may be web shells.

Additional information and remediation steps can be found in WSO2's advisory, https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738

MITRE ATT&CK Techniques

  • Exploit Public-Facing Application - T1190
  • Exploitation for Client Execution - T1203